That's just one of many war game scenarios facing a group of industry and government officials now shaping a national cyberspace defense plan.
The President's Commission on Critical Infrastructure Protection, created by President Bill Clinton last July to chart a national cyberdefense policy, sponsored its first war game last month in Albuquerque, N.M. A second war game is planned for late March in the Washington area.
The war games are intended to highlight various threats to the nation's critical networks and generate support for a defense scheme among industry executives who fear the effort will lead to increased regulation of the infotech industry.
| Critical Information Networks |
| The phone networks, including the long distance lines and the local loops, which carry nearly all communications among government, business and consumers. |
| The financial system, including the stock market and the banking system, which transfers $1 trillion per day among banks, businesses, merchants and customers. |
| The insurance companies, which store vast quantities of billing data and risk-related information about their clients. |
| The power grid, which uses computerized controls to instantly shift electrical power from region to region. |
| The oil and gas distribution networks, whose pipelines are monitored and controlled by nationwide computer networks. |
| The air traffic control system, designed to track the location and speed of every major aircraft flying through the nation's airspace. |
| Ground and water transportation companies, which use computerized networks to speed the delivery of packages and goods worldwide. |
| Emergency services, including police, ambulance and fire services, which rely on the phone network for warning and coordination. |
"We have to persuade the private sector there is a potential problem here, and it is in our mutual interest ... to close the gaps," said Robert Marsh, chairman of the commission based in Arlington, Va.
Officials in the Department of Justice, the Pentagon and intelligence agencies say that hackers could wreck or seriously damage the nation's critical computer-controlled information networks, which include the phone system, the power grid and the automated control centers used by railroads, airlines and fuel delivery companies.
The commission, which is scheduled to recommend a list of possible defense options by July, has gotten off to a relatively slow start. By late January, only five of the planned 10 civilian experts had been selected to join the 10 government employees on the commission's 20-person main working group.
But Marsh said five civilian experts would soon be appointed and that several prestigious industry executives would soon join the commission's advisory panel. Close cooperation with industry will be aided by the war games and a five-city tour by the commission, said Marsh.
The commission's work has top-level political support, said Marsh. Although the commission has lost two of its chief backers - Jamie Gorelick, who will soon leave the No. 2 job at the Department of Justice, and CIA chief John Deutch, who recently retired - "we have every reason to believe [Vice President Al Gore] will become a very strong supporter of this effort," said Marsh.
Gore recently added one of his staff members to the four officials in the commission's steering group that oversees the commission and its panel of outside industry advisers. Gore's representative is domestic policy adviser Greg Simon.
"We'll have our report July 15 ... [but] I would not be surprised if [the deadline] was extended," Marsh said.
During the war games, roughly 60 industry and 40 government officials divide into two mixed offensive and defensive teams before choosing from a menu of attack and defense options, according to Pace VanDevender, president of The Prosperity Institute, Albuquerque, N.M., which designed the war game.
The aim of the games is for participants to find the most promising way to protect eight critical networks: phones, the banking system, insurance companies, the power grid, oil and gas distribution, air traffic control, emergency services, and ground and water transport.
Each side is allowed to choose several options from a long menu of technologies, policies and tactics. Offensive options that the attacking team can use to wreck networks include disgruntled employees and hard-to-detect software viruses that slowly degrade the phone networks' reliability and eventually undermine the stock value of phone companies, VanDevender said.
Defensive measures available to the other team include a government-sponsored disaster insurance scheme for companies that adopt good information security procedures, an industry-developed technology to detect subtle hacker attacks or amendments to antitrust regulations that ease defensive coordination by large companies, VanDevender said.
Most of the executives participating in the war games are from the phone, utility or transportation sectors, said Marsh.
Options being considered by the commission include government loans for corporate information security investments or changes in
tax depreciation rates to ease companies' purchase of the latest information security gear. Government officials could also foster
professional standards for corporate information security policies, ensuring cheaper disaster-insurance rates for companies that follow the standards, said Marsh. But any standards must be developed by industry because it "will be for nought if we don't have industry concurrence," he said.
The government could also accelerate the development of anti-hacker technology or help create a nationwide alarm system to alert companies to hacker attacks, Marsh said.
The government already funds the Pittsburgh-based Computer Emergency Response Team, which works with companies to identify and fix flaws in commercial hardware and software.
But infotech industry executives have shown little enthusiasm for the commission, said Richard Barth, the Washington-based director of telecommunications strategy and regulation for Motorola Inc., Schaumburg, Ill. "It is not a high priority [for the high-tech industry]," he said, adding that the commission "is going to become a bureaucratic exercise."
For example, industry's suspicions - fueled by disputes over government encryption and wiretap policies - are behind the government's decision last month to hand over the task of creating security standards to a panel being created by the Washington-based Information Technology Industry Council, said a Pentagon official.
The council, funded by companies such as Motorola, Eastman Kodak Co., Rochester, N.Y., and AT&T, Basking Ridge, N.J., will collect data on any threats to the networks, and complete a report before July on "what, if anything, is necessary to increase or enhance security," said John Wilson, a vice president for technology policy at the council. The council will concentrate its study on the possible contribution of security-related practices and professional standards, instead of technology or government policies, Wilson said.
"Government has a valid standing as a customer," and can buy the extra security measure it wants for its own networks, said Edward Kerkeslager, vice president for technology and infrastructure at AT&T. But the government should rely on the marketplace to come up with security measures for the rest of the nation, he said.
Driven by customer demand, AT&T has sharply reduced network reliability problems since 1978 while expanding its network to include 40,000 miles of fiber optic cable, said Frank Ianna, a vice president of AT&T and general manager of network and computer sciences for the company.
The best thing the government can do for network security is the creation of a nationwide system to warn backhoe drivers when they are digging close to buried fiber optic cables, Ianna said. The government might also share some anti-hacker technology, he said, adding that he could think of no legislation that would prompt companies to spend more money on network security.
One danger for the commission is that industry may simultaneously reject any government role while agreeing that hacker attacks launched by terrorists or by foreign governments are a national security threat, said an industry official. But once these hacker attacks are classified as a national security threat, companies can't be held liable for any resulting damages, so reducing the incentive to build up anti-hacker defense, he said.